Cybersecurity whistleblowers file under SEC whistleblower program

The Securities and Exchange Commission is currently evaluating cybersecurity whistleblower claims. As an example, based on a tip from a cybersecurity whistleblower, the Department of Health and Human Services recently brought charges against a hospital for improperly storing electronic protected health information.

An “eligible whistleblower” under the SEC’s Whistleblower Incentive Program is a person who voluntarily provides the SEC with “original information” about a possible violation of the federal securities laws that has occurred, is ongoing or is about to occur. The whistleblower need not be an employee of the company to submit information about that company. A whistleblower may be entitled to receive up to 30% of what the government recovers as a result of the information provided.

Finally, unlike the average employee, compliance employees do have an obligation to report internally first to be eligible for a whistleblower award. Further, the compliance employee must generally wait 120 days between reporting the issue internally and contacting the SEC. The 120-day waiting period gives the company a little extra time to verify alleged wrongdoing and attempt to remedy any identified issues before a whistleblower reports to the SEC.